christippett · June 11, 2020 15:09
diff --git a/doit.tf b/doit.tf
 locals {
  org_id = ""
  project_id = ""
 }

 resource "google_service_account" "doit" {
  account_id   = "doit-management"
  display_name = "DoiT Service Account"
  project      = local.project_id
 }

 resource "google_organization_iam_member" "doit" {
  org_id = local.org_id
  role    = google_organization_iam_custom_role.doit.name
  member  = "serviceAccount:${google_service_account.doit.email}"
 }

 resource "google_organization_iam_custom_role" "doit" {
  org_id      = local.org_id
  role_id     = "doit.manager"
  title       = "DoiT Manager"
  description = "Management role for DoiT"
  stage       = "BETA"
  permissions = [
    "resourcemanager.organizations.get",
    "resourcemanager.organizations.getIamPolicy",
    "resourcemanager.folders.get",
    "resourcemanager.folders.list",
    "resourcemanager.projects.get",
    "resourcemanager.projects.list",
    "resourcemanager.projects.create",
    "bigquery.datasets.get",
    "bigquery.tables.get",
    "bigquery.tables.list",
    "bigquery.jobs.get",
    "bigquery.jobs.list",
    "bigquery.jobs.listAll",
    "compute.addresses.list",
    "compute.disks.get",
    "compute.disks.list",
    "compute.images.get",
    "compute.images.list",
    "compute.instances.get",
    "compute.instances.list",
    "compute.projects.get",
    "compute.regions.get",
    "compute.regions.list",
    "compute.snapshots.get",
    "compute.snapshots.list",
    "compute.zones.get",
    "compute.zones.list",
    "compute.commitments.get",
    "compute.commitments.list",
    "recommender.computeInstanceMachineTypeRecommendations.list",
    "compute.instances.setMachineType",
    "compute.instances.stop",
    "compute.instances.start",
    "serviceusage.services.enable",
    "bigquery.datasets.create",
    "logging.sinks.create",
    "logging.sinks.get",
    "bigquery.jobs.create"
  ]
 }
	locals {
	org_id = ""
	project_id = ""
	}

	resource "google_service_account" "doit" {
	account_id = "doit-management"
	display_name = "DoiT Service Account"
	project = local.project_id
	}

	resource "google_organization_iam_member" "doit" {
	org_id = local.org_id
	role = google_organization_iam_custom_role.doit.name
	member = "serviceAccount:${google_service_account.doit.email}"
	}

	resource "google_organization_iam_custom_role" "doit" {
	org_id = local.org_id
	role_id = "doit.manager"
	title = "DoiT Manager"
	description = "Management role for DoiT"
	stage = "BETA"
	permissions = [
	"resourcemanager.organizations.get",
	"resourcemanager.organizations.getIamPolicy",
	"resourcemanager.folders.get",
	"resourcemanager.folders.list",
	"resourcemanager.projects.get",
	"resourcemanager.projects.list",
	"resourcemanager.projects.create",
	"bigquery.datasets.get",
	"bigquery.tables.get",
	"bigquery.tables.list",
	"bigquery.jobs.get",
	"bigquery.jobs.list",
	"bigquery.jobs.listAll",
	"compute.addresses.list",
	"compute.disks.get",
	"compute.disks.list",
	"compute.images.get",
	"compute.images.list",
	"compute.instances.get",
	"compute.instances.list",
	"compute.projects.get",
	"compute.regions.get",
	"compute.regions.list",
	"compute.snapshots.get",
	"compute.snapshots.list",
	"compute.zones.get",
	"compute.zones.list",
	"compute.commitments.get",
	"compute.commitments.list",
	"recommender.computeInstanceMachineTypeRecommendations.list",
	"compute.instances.setMachineType",
	"compute.instances.stop",
	"compute.instances.start",
	"serviceusage.services.enable",
	"bigquery.datasets.create",
	"logging.sinks.create",
	"logging.sinks.get",
	"bigquery.jobs.create"
	]
	}